Courthouse News Service has details on a class action suit filed against Blizzard for consumer fraud, unjust enrichment, negligence, breach of contract and bailment over being asked to pay for an authenticator to secure Battle.net accounts (thanks na p), noting that Blizzard has made $26 million selling these things at $6.40 a pop (apparently their presumption is they are free to manufacture). Here's word:

Bell claims that Activision and Blizzard require gamers to use online accounts at the Battle.net website, which collects and stores customers' private information.

Blizzard puts the onus on gamers to buy additional products or tighten security on their devices, rather than making customer accounts more secure, Bell claims.

"Defendants negligently, deliberately, and/or recklessly fail to ensure that adequate, reasonable procedures safeguard the private information stored on this website. As a result of these acts, the private information of plaintiffs and class members has been compromised and/or stolen since at least 2007," according to the 33-page complaint.

"Most recently, on or about May 19, 2012, reports proliferated that class members' Battle.net accounts had suffered a security breach ('hack') at the hands of unknown parties ('hackers'), and on or about August 4, 2012, hackers massively breached Battle.net's security and acquired the private information of all of defendants' customers in the United States, as well as the remainder of North America, Latin America, Australia, New Zealand, and Southeast Asia."

Though account details for millions of gamers were compromised or stolen, Bell says, neither Activision nor Blizzard took "the legally required steps to alert" gamers.

Bell seeks class damages and an injunction to bar the defendants from "tacking on" undisclosed costs after customers have bought games, and from requiring them to sign up for Battle.net accounts.

Julio wrote on Nov 9, 2012, 19:12:I hope Blizzard loses big. Piss-poor security on D3 accounts, all in order to sell authenicators as add-ons. Then making the RMAH part of the game only usable if you buy...guess what an extra cost authenticator.

Indeed... What kind of stupid half-assed company doesn't want to deal with that much fraud... FOR SHAME...

I hope a judge knows enough about technology/security, etc, and throws this shit in the trash ; )

I hope Blizzard loses big. Piss-poor security on D3 accounts, all in order to sell authenicators as add-ons. Then making the RMAH part of the game only usable if you buy...guess what an extra cost authenticator.

m00t wrote on Nov 8, 2012, 22:33:As for sharing a dongle between logins, no way. There's no way a company would let anyone else have access to the key sequence. That'd be the dumbest thing ever and basically make them useless from a real security perspective.

https://idprotect.verisign.com/wheretouse.vTheres a list of all the ones that accept the authenticator I'm talking about. The secure stuff isn't shared, the login authentication is all passed through to the company that makes the cards, which in that case is verisign.

Just like all the physical blizzard authenticators currently use a company called vasco (look at the back of your authenticator, it will be marked as such).

Blizzard isn't hosting the authentication servers, vasco is. Blizzard may be paying them to use it though, I dunno.

Tomas wrote on Nov 8, 2012, 22:51:I get more Blizzard spam than any other type which is pretty impressive. That said, I find it rather ridiculous that I'm expected to buy a special device to protect my accounts. I can see it being necessary for WoW as it's an online only game, but for Diablo III that just doesn't make sense. I mean, I just want to play with my buddies on the LAN. Oh, wait...

So lame, obnoxious joking aside, I was pretty ticked when I saw all the account theft going on with D3, and when I was pretty much told to buy a device to secure my account that was kind of like getting kicked in the jimmy. I was under the impression that you couldn't use your cell phone for D3...did that change or was I just fed bad informatio

Yeah, if there is a piece of hardware (or complimenting software) that is essentially mandatory, I expect them to provide it.

They don't sell Guitar Hero without the toy guitar, if this is their solution for security that's fine, but they should do something to make sure it is widely implemente

Actually, they do sell Guitar Hero without the toy guitar. Have for years.As for battle.net, authenticator isn't really required and if you want one, it is free. For both Android and iOS devices.

This whole lawsuit is stupid, just like many others. It's not REQUIRED to use for the most part. And if you want to use the RMAH on D3, then get the damn FREE version for your smartphone and don't pay anything. This is just typical American greed run amuck.

I applaud Blizzard for implementing the authenticator system. No security system is perfect. This adds another layer that is pretty damn effective. Especially for the people who dont know how to keep their own computers secure.

Seriously, if their goal was to make a profit on this, why would they give away a free version and advertise it prominently? The (at or near cost) dongle version is to give people without a smartphone an option. For everyone else, it is free.

No security is perfect, and Blizzard knows this. There exists a third party system that significantly increases security because it isn't at Blizzard - it is sitting on the customer's desk. A hacker would have to be in your living room to get the code.

It isn't 'mandatory' - if you don't want it, you'd still get the same level of security you'd get with any major online service.

Furthermore, this isn't about Blizzard's security, it is about yours. This is a counter to the sheer number of people who were getting their accounts hacked, not through compromises at Blizzard, but through trojans, obvious passwords and similar crappy personal security. This is an extra line of security on the customer's end.

They require the authenticators when using the rmah because people also have their paypal accounts attached to their blizzard account. I've been using the mobile authenticator for years and have never had a problem -- same goes for my friends and family. D3 is still pretty lame, though.

Draugr wrote on Nov 9, 2012, 01:36:So there is a part of the game that you don't get access to unless an authenticator is involved? Sounds like getting screwed to me, especially when you consider this only became policy AFTER the games release. Parts of the game were taken away from you unless you met their NEW criteria. I don't know or particularly care if its worthy of a class action suit, but them providing a solution is how I feel about the situation.

There is only one thing that 'requires' the authenticator the Real Money Auction House. You don't need to use the RMAH. YOu can simply use the normal gold auction house and that doesn't require an authenticator. So only one entirely optional, with an effective alternative, requires you to have the authentictor. You can play the entire game, go online with friends and strangers, use the gold auction house, and never touch an authenticator (assuming you have a good password policy and arent stupid enough to get phished) It's 'nice to have' for stupid people but its certainly not required to play the actual game itself in any way.

Yeah, if there is a piece of hardware (or complimenting software) that is essentially mandatory, I expect them to provide it.

This. It is insulting beyond belief that Blizzard would have the gall to charge extra or require use of third party solutions for security.

You don't HAVE to use the authenticator. Only if you want to use the RMAH. And you can use it FOR FREE if you have a smartphone. Thus the entire concept of 'enriching' themselves is entirely logically inconsistent.

I agree that the Class Action suit is a bit goofy, but their game is coded very specifically to strongly encourage (if only a hair short of mandating) use of the auction house, then obviously the added security of an authenticator is a must. It ought to have been provided by them instead of making people pony up more cash for one or use a third party one. The former is just a cynical milking of your fanbase and the latter is just carelessly dismissive of their own obligation to make sure people using their game's features are as protected as they can be. In my opinion of course.

I use the Gold AH fine to level up my char to get stuff. If you just play the game, and want to use the Gold AH you don't need the authenticator at all. If you have a reasonable password policy you're fine. All claims of 'mass hijacks' were just people with bad/reused passwords. And again you can get the authenticator for free via any smartphone, or even on yoru desktop by using the Android SDK to emulate one. If cost is really a huge issue there are ways around it. The auth is just added security, but isn't actually requirerd unless you use the RMAH. Otherwise it's just 'nice to have'. The problem is that people who use these games have incredibly bad password, or are easily tricked into giving them away for FREE GOLD or whatever nonsense they want in the game. User stupidity is the reason authentictors exist for about 95% of the population.

You only NEED the auth for the RMAH. and again you don't 'need' to use that. You can use the Gold AH to get what you need.

So there is a part of the game that you don't get access to unless an authenticator is involved? Sounds like getting screwed to me, especially when you consider this only became policy AFTER the games release. Parts of the game were taken away from you unless you met their NEW criteria. I don't know or particularly care if its worthy of a class action suit, but them providing a solution is how I feel about the situation.

Tomas wrote on Nov 8, 2012, 22:51:I get more Blizzard spam than any other type which is pretty impressive. That said, I find it rather ridiculous that I'm expected to buy a special device to protect my accounts. I can see it being necessary for WoW as it's an online only game, but for Diablo III that just doesn't make sense. I mean, I just want to play with my buddies on the LAN. Oh, wait...

So lame, obnoxious joking aside, I was pretty ticked when I saw all the account theft going on with D3, and when I was pretty much told to buy a device to secure my account that was kind of like getting kicked in the jimmy. I was under the impression that you couldn't use your cell phone for D3...did that change or was I just fed bad informatio

Note D3 is basically an online game like WoW

The SMS auth portion wasn't compatible with D3. But you could get an authenticator on yoru smartphone for free. And you can emulate an android sdk on your dekstop to get the android app if you really dont want the physical auth

Yeah, if there is a piece of hardware (or complimenting software) that is essentially mandatory, I expect them to provide it.

This. It is insulting beyond belief that Blizzard would have the gall to charge extra or require use of third party solutions for security.

You don't HAVE to use the authenticator. Only if you want to use the RMAH. And you can use it FOR FREE if you have a smartphone. Thus the entire concept of 'enriching' themselves is entirely logically inconsistent.

I agree that the Class Action suit is a bit goofy, but their game is coded very specifically to strongly encourage (if only a hair short of mandating) use of the auction house, then obviously the added security of an authenticator is a must. It ought to have been provided by them instead of making people pony up more cash for one or use a third party one. The former is just a cynical milking of your fanbase and the latter is just carelessly dismissive of their own obligation to make sure people using their game's features are as protected as they can be. In my opinion of course.

I use the Gold AH fine to level up my char to get stuff. If you just play the game, and want to use the Gold AH you don't need the authenticator at all. If you have a reasonable password policy you're fine. All claims of 'mass hijacks' were just people with bad/reused passwords. And again you can get the authenticator for free via any smartphone, or even on yoru desktop by using the Android SDK to emulate one. If cost is really a huge issue there are ways around it. The auth is just added security, but isn't actually requirerd unless you use the RMAH. Otherwise it's just 'nice to have'. The problem is that people who use these games have incredibly bad password, or are easily tricked into giving them away for FREE GOLD or whatever nonsense they want in the game. User stupidity is the reason authentictors exist for about 95% of the population.

You only NEED the auth for the RMAH. and again you don't 'need' to use that. You can use the Gold AH to get what you need.

Yeah, if there is a piece of hardware (or complimenting software) that is essentially mandatory, I expect them to provide it.

This. It is insulting beyond belief that Blizzard would have the gall to charge extra or require use of third party solutions for security.

You don't HAVE to use the authenticator. Only if you want to use the RMAH. And you can use it FOR FREE if you have a smartphone. Thus the entire concept of 'enriching' themselves is entirely logically inconsistent.

I agree that the Class Action suit is a bit goofy, but their game is coded very specifically to strongly encourage (if only a hair short of mandating) use of the auction house, then obviously the added security of an authenticator is a must. It ought to have been provided by them instead of making people pony up more cash for one or use a third party one. The former is just a cynical milking of your fanbase and the latter is just carelessly dismissive of their own obligation to make sure people using their game's features are as protected as they can be. In my opinion of course.

“The greatness of a nation and its moral progress can be judged by the way its animals are treated.” - Mahatma Gandhi

Yeah, if there is a piece of hardware (or complimenting software) that is essentially mandatory, I expect them to provide it.

This. It is insulting beyond belief that Blizzard would have the gall to charge extra or require use of third party solutions for security.

You don't HAVE to use the authenticator. Only if you want to use the RMAH. And you can use it FOR FREE if you have a smartphone. Thus the entire concept of 'enriching' themselves is entirely logically inconsistent.